Hackers used EA's web site to host a fake Apple login screen designed to steal visitors' credit card information and Apple IDs, a security firm reported today. The fake page appeared to exist on a subdomain of EA.com and is said to have looked almost exactly like Apple's current login screen. While there's no reason you would currently need or be able to log into an Apple account through EA's website, the domain certainly provides a veneer of respectability that could help to deceive visitors. EA says that it is currently investigating the matter.
Hackers likely went through an outdated calendar app
"Privacy and security are of the utmost importance to us, and we are currently investigating this report," an EA spokesperson writes in an email to The Verge. The fake page was said to still be live this morning; as of this afternoon, EA said that it had disabled any fake websites that it may have found. "We’ve taken immediate steps to disable any attempts to misuse EA domains," a spokesperson said. Nonetheless, EA said that it had yet to confirm the "underlying claims" made by the security researchers.
The hack was reported by the security firm Netcraft, which says that it informed EA of the issue last night. The fake page was said to first prompt visitors for their Apple ID and password, and then follow up with fields for their credit card and other information. Fortunately, it may be hard to stumble upon the page should it still be live: Netcraft provides a list of phishing sites for other companies' anti-virus and filtering systems to block, and it says that its list is used by "all the major web browsers." Since the hacked EA page is now on the list, it may be blocked for most.
Netcraft says that the hackers were able to put the fake page up after compromising an EA server that's used to host two EA.com sites. The server was reportedly used to host a calendar application, but EA had apparently been using a severely outdated version of the calendar, likely allowing the hackers to slip in. Netcraft says there is no immediate evidence that internal data on the server was accessed.
Update: Shortly before 5PM ET, EA said that it had located the issue and was working to ensure that the vulnerability will no longer be exploitable. "We found it, we have isolated it, and we are making sure such attempts are no longer possible," a company spokesperson said.